1. Field of the Invention
The present invention relates generally to computer security and, more specifically, to methods and systems for restricting selected users' access to selected programs or portions of programs.
2. Description of the Related Art
Operating systems and similar software often include security facilities or mechanisms that a system administrator may use to restrict selected users' access to selected program functions or resources. For example, a network administrator may allow only a selected group of users on the network to modify data in a database and prevent other users from doing so. Such security mechanisms typically only allow an administrator to limit access to a program as a whole; they cannot be used to limit access to portions of a program.
In other instances, the security feature may be included in an application program itself. For example, an accounting program package may include a feature that allows an administrator to select which users have access to which functions. Certain users may be given access to, for example, the Accounts Payable functions of the program but not the Accounts Receivable functions, while other users may be given access to the Accounts Receivable functions but not the Accounts Payable functions. Such a security feature may be implemented by hard-coding it into the program. In other words, in response to a user's request to access a certain program function, a code segment in the program obtains the identity of the user (either internally if the user is required to enter a username into the program, or externally from the operating system) and compares the identity to a list of authorized users. If the list indicates that the user is authorized to access that function, the program proceeds to execute the function as requested. If the list indicates that the user is not authorized to access that function, the program does not execute the requested function and may output an error message advising the user that he or she is not authorized.
Hard-coding the security feature into an application program may be reasonably convenient if the computer system is only running a single program, but if the computer system is running many programs, as is of course typical in networked business computing systems, it becomes inconvenient for the system administrator to assign, track and maintain the proper authorizations for all of the programs. Different programs may be written by different vendors and thus may have completely different user interfaces by which the system administrator manages user authorizations. Compounding the difficulty is that a computer network may include different types of computer platforms, such as personal computers operating under the MICROSOFT WINDOWS operating system and IBM AS/400 platforms operating under OS/400. The method by which the network administrator must manage authorizations on one platform may be different from the method by which the network administrator must manage authorizations on another platform.
It would be desirable to provide a consistent, convenient means for managing user authorizations that is platform-independent and that can be used with any application program. These problems are satisfied by the present invention in the manner described below.